1 / 20

Explicit hard instances of the shortest vector problem

Explicit hard instances of the shortest vector problem. Johannes Buchmann Richard Lindner Markus Rückert. Outline. Motivation Foundations Construction Experiments Participation. Motivation. Motivation. PQC schemes rely on lattice problems GGH `96, NTRU `96, Regev `05, GPV `08

chul
Download Presentation

Explicit hard instances of the shortest vector problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Explicit hard instances of the shortest vector problem Johannes Buchmann Richard Lindner Markus Rückert

  2. Outline • Motivation • Foundations • Construction • Experiments • Participation

  3. Motivation

  4. Motivation • PQC schemes rely on lattice problems • GGH `96, NTRU `96, Regev `05, GPV `08 • No unified comparison of lattice reduction • Other challenges based on secret • GGH, NTRU

  5. Foundations

  6. Family of lattice classes • Definitions • Lattice: ¤ discrete additive subgroup of Rm

  7. Family of lattice classes • Definitions • Lattice: ¤ discrete additive subgroup of Rm • Class: m = b c1 n ln(n) c, q = b nc2c, For X = (x1,…,xm) 2Zqn£n L(c1, c2, n, X) = { (v1,…,vm)2Zm | i vi xi´ 0 (mod q) } • Class Family: L = { L(c1,c2,n,¢) | c1¸2, c2<c1ln(2), n 2N}

  8. Existence of Short Vector Consider v2 {0,1}m , x1,…,xn2Zqn£n The function v i vi xi (mod q) Has collisions if 2m > qn The lattice L(…,X) 2L contains v2 {-1,0,1}m, so kvk2· m

  9. Hardness of Challenge • Asymptotically: Ajtai,Cai/Nerurkar,Micciancio/Regev,Gentry et al. Finding short vector ) Approx worst-case SVP • Practice: Gama and Nguyen Challenges hard for m ' 500 intractible for m ' 850

  10. Construction

  11. Explicit Bases • Using randomness of ¼ digits Choose X2Zqn£n randomly Set ¤ = L(…,X) 2L • Construction via dual lattice basis B = ( XT | qIm ) spans q¤? • Turn B into basis • Transform B/q into dual basis

  12. Experiments

  13. LLL-type LLL — Shoup fpLLL — Cadé, Stehlé sLLL — Filipović, Koy Run on Opteron 2.6GHz Implementations BKZ-type • BKZ — Shoup • PSR — Ludwig • PD — Filipović, Koy

  14. Performance of LLL-type Algorithms

  15. Performance of BKZ-type Algorithms

  16. Participation

  17. How to Participate • Go to www.LatticeChallenge.org • Download lattice basis Bm , norm bound º • Find v in ¤(Bm) such that kvk < º • Submit v

  18. www.LatticeChallenge.org Successful Participants (chronological order) • Nicolas Gama, Phong Q. Nguyen • Moon Sung Lee • Markus Rückert • Panagiotis Voulgaris

  19. Story • Praticipants found: solutions have many zeros • Strategy to focus on sublattices • Same oberservation as May, Silverman in 2001 working on NTRU • Lead to Hybrid Lattice-Reduction proposed 2007 by Howgrave-Graham

  20. Thank You Questions?

More Related